Skip to main content

Pi-hole FTL CVE-2026-39849

| EUVDEUVD-2026-27498 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-05-05 security-advisories@github.com
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 05, 2026 - 22:02 EUVD
Source Code Evidence Fetched
May 05, 2026 - 21:33 vuln.today
Analysis Generated
May 05, 2026 - 21:33 vuln.today

DescriptionGitHub Advisory

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the dns.interface configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.

AnalysisAI

Remote command execution in Pi-hole FTL versions before 6.6.1 allows network-adjacent attackers with API access to inject malicious dnsmasq directives via unvalidated newline characters in the dns.interface configuration field, achieving arbitrary code execution when DHCP leases are requested. Deployments with no admin password (a documented default configuration) expose the configuration API without authentication, enabling unauthenticated remote exploitation. The Pi-hole project released version 6.6.1 with input validation that strips newline characters, and the fix commit (0c46e4ec7f) replaced validate_stub with validate_str_no_newline.

Technical ContextAI

Pi-hole FTL is the DNS and DHCP engine underlying Pi-hole ad-blocking deployments, which generates dnsmasq configuration files from user-controlled settings stored in /etc/pihole/pihole.toml. The vulnerability stems from CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers / Configuration Files). The dns.interface field accepted newline characters without sanitization, allowing injection of arbitrary dnsmasq directives such as dhcp-script=/tmp/malicious_payload within the 31-byte strncpy limit (e.g., wlan0\ndhcp-script=/tmp/p). The dnsmasq dhcp-script directive executes the specified script whenever a DHCP lease is assigned, creating a path from configuration injection to command execution. The FTL 6.6 config validation only verified syntactic correctness of generated dnsmasq configs, so injected valid directives passed checks. The attack chain requires enabling the DHCP server via the same API, making this a multi-step configuration manipulation attack that triggers on network DHCP activity rather than immediate code execution.

RemediationAI

Upgrade to Pi-hole FTL version 6.6.1 or later, released by the vendor with commit 0c46e4ec7fe57f762fce261625f2cf5d43806e6d that replaces validate_stub with validate_str_no_newline to strip newline characters from dns.interface input. Download from https://github.com/pi-hole/FTL/releases/tag/v6.6.1 and follow Pi-hole update procedures. If immediate patching is not feasible, set a strong admin password via pihole -a -p to require authentication for the configuration API, which converts the attack from unauthenticated (PR:N) to requiring low privileges (PR:L). Restrict network access to the Pi-hole web interface (typically TCP 80/443) and API to trusted management networks only using firewall rules or reverse proxy authentication - note this breaks legitimate remote administration and may complicate troubleshooting. Audit /etc/pihole/pihole.toml for unexpected newline characters or dhcp-script directives, and review dnsmasq configuration in /etc/dnsmasq.d/ for injected payloads. Disable the DHCP server feature if not required, though this does not prevent configuration injection, only the DHCP-based trigger mechanism. Monitor for unexpected process execution from dnsmasq parent processes.

Share

CVE-2026-39849 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy